IETF Logo Mail Archive

Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

Paul Kyzivat <pkyzivat@alum.mit.edu> Mon, 08 July 2019 16:57 UTC

Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8680D1202B7 for <sipcore@ietfa.amsl.com>; Mon, 8 Jul 2019 09:57:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OR9TUKngGqbt for <sipcore@ietfa.amsl.com>; Mon, 8 Jul 2019 09:57:15 -0700 (PDT)
Received: from outgoing-alum.mit.edu (outgoing-alum.mit.edu [18.7.68.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED5601202F7 for <sipcore@ietf.org>; Mon, 8 Jul 2019 09:56:06 -0700 (PDT)
Received: from PaulKyzivatsMBP.localdomain (c-24-62-227-142.hsd1.ma.comcast.net [24.62.227.142]) (authenticated bits=0) (User authenticated as pkyzivat@ALUM.MIT.EDU) by outgoing-alum.mit.edu (8.14.7/8.12.4) with ESMTP id x68Gu4rb002736 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT) for <sipcore@ietf.org>; Mon, 8 Jul 2019 12:56:04 -0400
To: sipcore@ietf.org
References: <156249821133.14592.1211919336596009446@ietfa.amsl.com> <CAGL6epLsP_UfZMAcFLsORrR05Enu-vp=jnkgUFuKSttQm8swAw@mail.gmail.com>
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
Message-ID: <c8d5c42e-ab21-80e8-3189-c8592dd02d3a@alum.mit.edu>
Date: Mon, 08 Jul 2019 12:56:04 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:60.0) Gecko/20100101 Thunderbird/60.7.2
MIME-Version: 1.0
In-Reply-To: <CAGL6epLsP_UfZMAcFLsORrR05Enu-vp=jnkgUFuKSttQm8swAw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/oJv7BjruubE5vX_mB2zHzkTGOuc>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jul 2019 16:57:29 -0000

On 7/7/19 7:19 AM, Rifaat Shekh-Yusef wrote:
> All,
> 
> We have submitted a new version of the document based on the feedback 
> provided so far.
> Please, take a look at let us know what you think.

This is better. I still have a few thoughts:

* Regarding WWW-Authenticate:

I believe it will how be possible for a server to support both Digest 
and Bearer. I think this means that the client can use either depending 
on what sort of credentials it or its user happen to know.

I think it would be good to mention this. I guess in principle the 
client could return credentials for both. In that case, I don't know 
whether both must be valid or if it is sufficient for one to be valid. 
Perhaps we need to discuss that. (Presumably only credentials for a/the 
realm that the server supports are to be considered, with those for 
other realms being ignored.)

* Regarding non-registration requests (and maybe registration requests too):

    The UA MUST NOT insert a token in a non-REGISTER request, unless the
    non-REGISTER request has been challenged, or the peer is considered a
    trusted entity.

What is a trusted entity? In any case I think this is too strong. Once a 
request has been challenged the client knows this target wants the 
credentials. We certainly don't want to force every subsequent request 
to the same target to take two round trips, one without credentials and 
then one with. So the client needs to associate these credentials with 
this target, for awhile. But that begs the question of how long to 
retain this association. In the case of Digest, a nonce eventually 
expires and the old credentials fail and get forgotten and replaced by 
new ones. I guess the life cycle will be somewhat different for Bearer. 
This needs some thought and discussion.

	Thanks,
	Paul

> Regards,
>   Rifaat
> 
> 
> 
> On Sun, Jul 7, 2019 at 7:18 AM <internet-drafts@ietf.org 
> <mailto:internet-drafts@ietf.org>> wrote:
> 
> 
>     A New Internet-Draft is available from the on-line Internet-Drafts
>     directories.
>     This draft is a work item of the Session Initiation Protocol Core WG
>     of the IETF.
> 
>              Title           : Third-Party Token-based Authentication
>     and Authorization for Session Initiation Protocol (SIP)
>              Authors         : Rifaat Shekh-Yusef
>                                Christer Holmberg
>                                Victor Pascual
>              Filename        : draft-ietf-sipcore-sip-token-authnz-02.txt
>              Pages           : 12
>              Date            : 2019-07-07
> 
>     Abstract:
>         This document defines a mechanism for SIP, that is based on the
>     OAuth
>         2.0 and OpenID Connect Core 1.0 specifications, to enable the
>         delegation of the user authentication and SIP registration
>         authorization to a dedicated third-party entity that is separate
>     from
>         the SIP network elements that provide the SIP service.
> 
> 
>     The IETF datatracker status page for this draft is:
>     https://datatracker.ietf.org/doc/draft-ietf-sipcore-sip-token-authnz/
> 
>     There are also htmlized versions available at:
>     https://tools.ietf.org/html/draft-ietf-sipcore-sip-token-authnz-02
>     https://datatracker.ietf..org/doc/html/draft-ietf-sipcore-sip-token-authnz-02
>     <https://datatracker.ietf.org/doc/html/draft-ietf-sipcore-sip-token-authnz-02>
> 
>     A diff from the previous version is available at:
>     https://www.ietf.org/rfcdiff?url2=draft-ietf-sipcore-sip-token-authnz-02
> 
> 
>     Please note that it may take a couple of minutes from the time of
>     submission
>     until the htmlized version and diff are available at tools.ietf.org
>     <http://tools.ietf.org>.
> 
>     Internet-Drafts are also available by anonymous FTP at:
>     ftp://ftp.ietf.org/internet-drafts/
> 
>     _______________________________________________
>     sipcore mailing list
>     sipcore@ietf.org <mailto:sipcore@ietf.org>
>     https://www.ietf.org/mailman/listinfo/sipcore
> 
> 
> _______________________________________________
> sipcore mailing list
> sipcore@ietf.org
> https://www.ietf.org/mailman/listinfo/sipcore
>

v2.23.0 | Report a Bug | By Email